{ config, pkgs, inputs, ... }:
let
  dns = "regru";
  host = "fail2banana";
  domain = "${host}.ru";
  email = "padimych@gmail.com";
in {
  roles.server = {
    inherit domain;
    adguardhome.enable = true;
    coturn = {
      enable = true;
      extraConfig = ''
        external-ip=37.194.158.176
      '';
      sharedSecretFile = config.age.secrets."coturn-${host}".path;
    };
    nextcloud = {
      enable = true;
      adminpassFile = config.age.secrets."nextcloud-${host}".path;
      home = "/data/nextcloud";
    };
    nginx.enable = true;
    synapse = {
      enable = true;
      dataDir = "/data/matrix-synapse";
      # element = true;
      registrationSharedSecretFile = config.age.secrets."synapse-${host}".path;
    };
    vaultwarden = {
      enable = true;
      environmentFile = "/data/secrets/vaultwarden";
    };
  };

  age.secrets = with inputs.self.modules; {
    "${dns}-${host}".file = secrets."${dns}-${host}";
    "coturn-${host}" = {
      file = secrets."synapse-${host}";
      group = "turnserver";
      mode = "440";
      owner = "turnserver";
    };
    "nextcloud-${host}" = {
      file = secrets."nextcloud-${host}";
      group = "nextcloud";
      owner = "nextcloud";
    };
    "synapse-${host}" = {
      file = secrets."synapse-${host}";
      group = "matrix-synapse";
      owner = "matrix-synapse";
    };
  };

  security.acme.certs.${domain} = {
    credentialFiles.REGRU_PASSWORD_FILE = config.age.secrets."${dns}-${host}".path;
    environmentFile = pkgs.writeText "${dns}-env" ''
      REGRU_USERNAME=${email}
      REGRU_POLLING_INTERVAL=600
      REGRU_PROPAGATION_TIMEOUT=3600
    '';
    domain = "*." + domain;
    dnsPropagationCheck = true;
    dnsProvider = dns;
    dnsResolver = "ns1.reg.ru:53";
    inherit email;
    extraDomainNames = [ domain ];
    inherit (config.security.acme.defaults) group;
    # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
  };

  services.nginx.virtualHosts = {
    ${domain} = {
      forceSSL = true;
      enableACME = true;
      acmeRoot = null;
      extraConfig = ''
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
      '';
    };

    "*.${domain}" = {
      default = true;
      forceSSL = true;
      useACMEHost = domain;
      globalRedirect = domain;
    };
  };
}
